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The  specific  goal  of  this  proposal  is  to  design  and  implement  efficient  self-healing  mechanisms  that  allow  a  sensor  network  to  recover  from 
node  compromises  by  itself.  To  achieve  this  goal,  this  proposal  describes 

a  self-healing  framework  that  consists  of  three  sequential  phases:  node  compromise  detection,  node  revocation  and  network  reconfiguration, 
and  focuses  on  designing  efficient  schemes  for  each  of  these  phases.  It  proposes  to  identify  suspicious  sensor  nodes  through  time 
synchronization  protocols  and  location  changes  of  sensor  nodes,  respectively,  in  addition  to  other  sources  of  discovering  suspicious  nodes. 
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the  security  keys  possessed  by  the  nodes  that  have  been  identified  as  compromised. 
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1.  Statement  of  Problem 

When  sensor  networks  are  deployed  in  an  unattended  and  hostile  environment  such  as  a 
battlefield,  sensor  nodes  must  be  furnished  with  cryptographic  mechanisms  to  protect  the 
confidentiality  and  authenticity  of  sensor  readings  from  being  jeopardized  by  an  adversary. 
Cryptography,  however,  can  only  provide  the  first  layer  of  protection.  The  low  cost  of  sensor 
nodes  (e.g.,  less  than  $1  as  envisioned  for  smart  dust)  precludes  the  built-in  tamper-resistance 
capability  of  sensor  nodes.  Actually,  recent  advances  in  physical  attack  show  that  even  memory 
chips  with  built-in  tamper-resistance  are  subject  to  various  memory  read-out  attacks.  Thus,  the 
lack  of  tamper-resistance  coupled  with  the  unattended  nature  gives  an  adversary  the 
opportunity  to  break  into  the  captured  sensor  nodes  to  obtain  the  code  and  the  sensitive 
information  such  as  encryption  or  authentication  keys  loaded  in  these  sensor  nodes.  An 
adversary  may  change  the  original  code  to  malicious  code,  and  it  may  deploy  many  cloned 
malicious  nodes  with  the  obtained  keys.  The  cloned  nodes  can  participate  in  the  network  to 
launch  various  kinds  of  passive  and  active  security  attacks. 

Recently  several  preventative  security  mechanisms  have  been  proposed  to  restrict  the  security 
impact  of  node  compromises  to  one-hop  range  of  the  compromised  nodes  and  filter  out  false 
sensor  readings  injected  into  the  network  by  a  certain  number  of  compromised  colluding  nodes. 
Despite  the  increased  complexity  and  performance  overhead,  these  schemes  do  not  solve  the 
node  compromise  problem  completely.  When  the  number  of  compromised  nodes  exceeds  the 
security  threshold  in  these  schemes,  an  adversary  can  break  the  system  and  easily  launch 
security  attacks.  To  fully  address  the  node  compromise  problem,  we  believe  that  it  is  essential  to 
detect  the  compromised  nodes  in  a  timely  fashion  and  isolate  them  from  the  rest  of  the  network. 
It  is  desired  that  a  sensor  network  have  the  self-healing  capability  so  that  the  security  of  the 
system  will  not  be  broken  even  after  a  relatively  high  number  of  sensor  nodes  have  been 
compromised.  With  the  self-healing  capability,  a  sensor  network  can  employ  lightweight 
prevention  techniques  to  reduce  the  normal  operational  overhead. 

2.  Summary  of  The  Most  Important  Results 

To  achieve  the  design  goals,  we  have  developed  through  this  project  a  suite  of  security 
mechanisms  spanning  node  compromise  detection,  verification,  and  revocation. 

2.1:  Direct  Results  from  this  project 

based  on  verifying  the  genuineness  of  the  running  program,  we  propose  two  distributed 
software-based  attestation  schemes  that  are  well  tailored  for  sensor  networks.  These 
schemes  are  based  on  a  pseudorandom  noise  generation  mechanism  and  a  lightweight 
block-based  pseudorandom  memory  traversal  algorithm.  Each  node  is  loaded  with 
pseudorandom  noise  in  its  empty  program  memory  before  deployment,  and  later  on 
multiple  neighbors  of  a  suspicious  node  collaborate  to  verify  the  integrity  of  the  code 


containing  sensor  worms.  Our  work  is  the  first  one  proposing  countermeasures  towards 
sensor  worms.  [Yi  et  al.,  Mobihoc  2008] 

we  studied  the  problem  of  node  cloning  attacks  in  sensor  networks.  The  defenses  against 
clone  attacks  are  not  only  very  few,  but  also  suffer  from  selective  interruption  of 
detection  and  high  overhead  (computation  and  memory).  We  propose  a  new  effective  and 
efficient  scheme,  called  SET,  to  detect  such  clone  attacks.  The  key  idea  of  SET  is  to 
detect  clones  by  computing  set  operations  (intersection  and  union)  of  exclusive  subsets  in 
the  network.  First,  SET  securely  forms  exclusive  unit  subsets  among  one-hop  neighbors 
in  the  network  in  a  distributed  way.  This  secure  subset  formation  also  provides  the 
authentication  of  nodes’  subset  membership.  SET  then  employs  a  tree  structure  to 
compute  non-overlapped  set  operations  and  integrates  interleaved  authentication  to 
prevent  unauthorized  falsification  of  subset  information  during  forwarding. 
Randomization  is  used  to  further  make  the  exclusive  subset  and  tree  formation 
unpredictable  to  an  adversary.  Performance  analysis  and  simulations  also  demonstrate 
that  the  proposed  scheme  is  more  efficient  than  existing  schemes  from  both 
communication  and  memory  cost  standpoints.  [Choi  et  al.,  Securecomm  2007] 

We  also  studied  secure  sensor  data  aggregation.  Hop-by-hop  data  aggregation  is  a  very 
important  technique  for  reducing  the  communication  overhead  and  energy  expenditure  of 
sensor  nodes  during  the  process  of  data  collection  in  a  sensor  network.  However,  because 
individual  sensor  readings  are  lost  in  the  per-hop  aggregation  process,  compromised 
nodes  in  the  network  may  forge  false  values  as  the  aggregation  results  of  other  nodes, 
tricking  the  base  station  into  accepting  spurious  aggregation  results.  Here  a  fundamental 
challenge  is:  how  can  the  base  station  obtain  a  good  approximation  of  the  fusion  result 
when  a  fraction  of  sensor  nodes  are  compromised?  To  answer  this  challenge,  we 
proposed  SDAP  [Yi  et  al.,  Mobihoc'06,TISSEC'08],  a  Secure  Hop-by-hop  Data 
Aggregation  Protocol  for  sensor  networks,  based  on  the  principles  of  divide-and-conquer 
and  commit-and-attest.  SDAP  can  achieve  the  level  of  efficiency  close  to  an  ordinary 
hop-by-hop  aggregation  protocol  while  providing  certain  assurance  on  the 
trustworthiness  of  the  aggregation  result. 

Another  important  issue  we  studied  is  tolerating  mobile  sink  compromises  [Song  et  al., 
Mobihoc'05,TOSN'08].  Mobile  sinks  are  dispatched  to  perform  critical  actions  (e.g., 
collecting  data,  node  revocation)  in  a  sensor  network,  so  their  compromises  will  have 
catastrophic  impacts  on  sensor  applications.  We  were  the  first  one  studying  this  problem 
and  came  up  with  effective  solutions  based  on  the  principles  of  least  privilege  to 
minimize  the  impact  of  mobile  sink  compromises. 

2.2:  Additional  Results  with  partial  support  from  this  grant 

For  sensor  networks  deployed  to  monitor  and  report  real  events,  event  source  location 
privacy  is  an  attractive  and  critical  security  property,  which  unfortunately  is  also  very 
difficult  and  expensive  to  achieve.  This  is  not  only  because  adversaries  may  attack 
against  sensor  source  privacy  through  traffic  analysis,  but  also  because  sensor  networks 
are  very  limited  in  resources.  Partially  supported  by  this  project,  we  also  developed 
several  schemes  for  sensor  source  location  privacy. 

Specifically,  we  first  studied  source  location  privacy  for  sensor  networks  under  a  global 
observer  who  may  monitor  and  analyze  the  traffic  over  the  whole  network.  We  employ 
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